|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
How do I learn to read the hijack logs?
Any websites or anything helpfull would be appreciated. Thanks!
|
#2
|
||||
|
||||
Hi buddy...first...stick around here and read a lot...you may recognise certain things that occur regularly...and can pick them out.
It's not easy to read logs...spyware changes almost daily....so new tools are developed for getting rid of this nightmare by folks far cleverer than us. I reckon these days 90% of puter problems are due to this intrusion of privacy ...or even more... i dont want to point you in the direction of learning how at the moment...because a little knowledge in this case is a dangerous thing....when you have been around a while....well thats different |
#3
|
||||
|
||||
dammit is correct viking 12344. It takes time and willingness to research to learn to read a log correctly and what many people do not realise is that when an entry is "fixed" in a Hijack This log, a registry key or value is actually being deleted.
This site will help you gain a greater understanding of Hijack This logs and what each code in a log refers to. |
#4
|
|||
|
|||
Quote:
|
#5
|
|||
|
|||
Good morning!
Another question to be sure: when we find this, by exemple: O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL then, we check and fix. Are we sure that BHO001.DLL is deleted? Thank you for your answer. |
#6
|
||||
|
||||
Hi Acrobaze - Hijack This does usually delete the file associated with a BHO however, it does not in the instance of the CWSSearchx (About:Blank) hijacker. That file has to be deleted manually.
|
#7
|
|||
|
|||
Thank you very much, AnnMarie.
|
#8
|
||||
|
||||
You are welcome Acrobaze
|
#9
|
|||
|
|||
Good morning!
I just see a thing I'd never sawn : R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = +s I search in Google...but nothing! I don't understand what is this " +s ". You know what it is ? Thank you for your answer. |
#10
|
||||
|
||||
Hi buddy....best thing is to post a fresh log then someone can check it out for you
|
#11
|
|||
|
|||
Hi Damnit! Thank you to answer me !
Here is the log I don't understand : Logfile of HijackThis v1.97.7 Scan saved at 22:04:00, on 25/04/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\spoolsv.exe C:\Apps\ActivBoard\nhksrv.exe C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe C:\PROGRA~1\Iomega\System32\ActivityDisk.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\PC-cillin 9\Tmntsrv.exe C:\Program Files\Trend Micro\PC-cillin 9\PCCPFW.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Trend Micro\PC-cillin 9\Pop3trap.exe C:\Program Files\Trend Micro\PC-cillin 9\pccguide.exe C:\Program Files\Trend Micro\PC-cillin 9\PCCClient.exe C:\Program Files\Iomega\DriveIcons\ImgIcon.exe C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\WINDOWS\System32\atiptaxx.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe C:\Apps\ActivBoard\MMKeybd.exe C:\Program Files\Trend Micro\PC-cillin 9\WebTrap.EXE C:\Program Files\RamBooster\Rambooster.exe C:\Apps\ActivBoard\TrayMon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Apps\ActivBoard\OSD.exe C:\Planetis\Planetis.exe C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\CLEMENT.SNCD08200284\Mes documents\les setup\HijackThis ( contre 1 trojan ).exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat....d=190851127001 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = +s R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.planetis.com/net@tous R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = +s R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = +s R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat....d=190851127001 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = +s R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 9\Pop3trap.exe" O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 9\pccguide.exe" O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 9\PCCClient.exe" O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - HKCU\..\Run: [CTBPlanetisEDF] C:\Planetis\Planetis.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.fr...eleir_cert.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...wflash5r42.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F26F1B73-0994-4A0C-B960-543002BB4DC7}: NameServer = 212.27.32.176 212.27.39.1 I don't know what are these "+". |
#12
|
|||
|
|||
i believe there is a sticky in cyber saftery forum on how to read em or somewhere
i forgot there is a site just search for "how to read hijack this logs" or something also i would use google to search up all the .exes and files to see if they are windows files or trojans, viruses or bad stuff ex: search for sajdfk.exe its not a real file but if u search for it look on sites and see what they have to say abou that file |
#13
|
||||
|
||||
Hi again....Close all open windows...run hijack again and put a check in the boxes for the below entries..then hit "fix checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat...id=190851127001 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = +s R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.planetis.com/net@tous R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = +s R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = +s R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat...id=190851127001 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = +s R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe Reboot into Safe Mode.....( tap F8 key during booting, until the boot menu appears...) Make sure you can see Hidden files and Folders... here is how if you don't know. http://www.xtra.co.nz/help/0,,4155-1916458,00.html Go to start>search>files and folders and run a search for and delete the following files and/or folders when/if found. Also ctrl>alt>del to bring up task manager..and end process on the below if running. keyword.exe manage.exe |
#14
|
|||
|
|||
Hijacked!!!
I am new to this and without much computer knowledge.
I have managed to get my log by following the instructions I've seen in the Forum. Can I post it here? Will someone tell me what to do next? If the answers to the above questions are "Yes", where is the "New Thread" icon that is said to be in the upper right corner of the page? I don't see it. Any info appreciated.... Thanks... ????? |
#15
|
|||
|
|||
Hi hashashanur, Welcome to CTH..
Yes, post your HijackThis log in a new thread.. Click this link http://www.cybertechhelp.com/forums/...splay.php?f=25 and then click the 'New Topic' button in the upper left... |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
like to learn about hijack logs | IamOne | Malware Removal | 4 | January 16th, 2006 11:23 AM |
Learn Chinese in 5 minutes...(You MUST read them out loud) | The Dude | Jokes Forum | 0 | November 1st, 2005 01:03 AM |
HJT Logs Please Read Again | da_moma | Malware Removal | 4 | January 31st, 2005 08:29 AM |
Please read before posting Hijack This logs. | AnnMarie | Malware Removal | 2 | June 21st, 2004 01:28 AM |
Help me read Hijack logs | enat66 | The Anything Else Board | 2 | April 30th, 2004 09:15 PM |
All times are GMT +1. The time now is 03:08 AM.